Hello,
I have a problem regarding a DIP on a SSG520M firewall (ScreenOS 6.0.0r7).
The firewall is configured with 2 interfaces:
- untrust (route mode,with a DIP defined on an external subnet with no port translation - 83.x.y.0/24)
- trust (route mode)
There's a policy applying the DIP from the Trust interface to the internet: and that's woking flawlessly.
My problem is, I have to allow some specific traffic from the internet to the trusted addresses: some users have to receive session on specific ports.
This ain't working at all: taking a look at traffic log from Internet to the Trusted networks, I noticed that the destination address (taken from the DIP pool) is not translated back into the corresponding Trust address...it remains the same!
I.e.:
a DIP element: 172.27.0.100 -> 83.X.Y.234
Source Address/ 124.123.90.170:27085
Port Destination Address/ 83.x.y.234:512
PortTranslated Source Address/ 124.123.90.170:27085
PortTranslated Destination Address/ 83.x.y.234:512
I have to add that at the moment there's no route on the firewall to the 83.x.y.0/24 network (because it's just a DIP pool).
It seems that I have to allow an incoming NAT on DIP.
I tried to enable it on the DIP tab under the interface settings, and then I wrote a policy with the DIP pool as a destination address, but ScreenOS responded that this function worked for VoIP traffic only.
Any help would be greatly appreciated!
Thanks for your time, and best regards.